Hi,

we're currently trying to make use of RFC4255 SSHFP RR on linux
clients. As glibc does not support DNSSEC (yet ?), the ssh client was
linked against libbind instead of libresolv.

However, I'm hitting a problem trying to fetch the RRSIG records
(libbind from 9.3.4, with RES_OPTIONS="debug edns0"):

;; res_setoptions("edns0 debug", "env")...
;; debug
;; res_query(etna.genoscope.cns.fr, 1, 44)
;; res_nmkquery(QUERY, etna.genoscope.cns.fr, IN, TYPE44)
;; res_nopt()
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42216
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; etna.genoscope.cns.fr, type = TYPE44, class = IN
; EDNS: version: 0, udp=0, flags=0000

It appears the DO bit is not set here, so the server doesn't include
the relevant RRs in the reply

If I try to force usage of DNSSEC (quick-and-dirty source
modification), this is what I get:

;; res_setoptions("edns0 debug dnssec", "env")...
;; debug
;; res_query(etna.genoscope.cns.fr, 1, 44)
;; res_nmkquery(QUERY, etna.genoscope.cns.fr, IN, TYPE44)
;; res_nopt()
;; res_opt()... ENDS0 DNSSEC
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3821
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; etna.genoscope.cns.fr, type = TYPE44, class = IN
; EDNS: version: 0, udp=0, flags=8000

The DO bit is set, and the server does return RRSIG records, however :

;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3821
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
;; etna.genoscope.cns.fr, type = TYPE44, class = IN
etna.genoscope.cns.fr. 2D IN TYPE44 \# 22 ( ; unknown RR type
[...]
etna.genoscope.cns.fr. 2D IN TYPE46 \# 164 (; unknown RR type
[...]
; EDNS: version: 0, udp=4096, flags=8000
debug1: found 1 insecure fingerprints in DNS

So it seems the resolver does not recognize the RRSIG RR for some
reason...

Any hint ?

Simon

--
Simon Vallet
Ingénieur Systèmes/Réseaux
Genoscope / CNRG
Tél. : 01 60 87 36 06
E-mail : svallet@genoscope.cns.fr